Fewer than a third of data security incidents are responsible for the vast majority of the personal data that’s lost or exposed each year.
A focus on relatively simple controls and best practices could prevent millions of individuals’ data from being put at risk each year.
According to research by Huntsman Security of publicly available data and Freedom of Information requests from the ICO and Australia’s OAIC, fewer than a third of data security incidents are responsible for the vast majority of the personal data that’s lost or exposed each year.
Huntsman Security’s review of UK ICO data for 2024 shows that just 2,817 data security incidents, or less than a third (29 percent) of the 9,654 where a cause could be identified, were linked to the specific threat vectors of brute force attacks, malware, phishing, ransomware, or system misconfigurations. These incidents were responsible for nearly 80% of all individuals affected by a data security incident that year, with 13.9 million people impacted out of a total of 17.6 million.
These 2,817 incidents also made up around 90% of all cyber-related data security incidents, underlining the importance of prioritising controls that protect against them. Many of these attacks are targeted, and therefore more likely to compromise high-value data, including health records, financial information and identity documents, thereby increasing the risk of data loss for both individuals and organisations.
“While it’s unrealistic to expect organisations to prevent every breach, the data shows that implementing some basic controls could really make a difference,” said Peter Woollacott, CEO at Huntsman Security.
“Adhering to established security frameworks like NIST or the ACSC Essential Eight can dramatically reduce, not only the number of incidents, but – more importantly –the number of people affected by those incidents overall. Putting in place baseline controls such as effective and timely patching, multi factor authentication, user application hardening and regular backups can make the world of difference when it comes to effective cybersecurity.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
